CVE-2024-41746
Published: 16 January 2025
Description
IBM CICS TX Advanced 10.1, 11.1, and Standard 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Security Summary
CVE-2024-41746 is a stored cross-site scripting vulnerability (CWE-79) in IBM CICS TX Advanced versions 10.1 and 11.1, as well as Standard 11.1. The issue affects the Web UI, enabling users to embed arbitrary JavaScript code that alters the intended functionality and can potentially lead to credentials disclosure within a trusted session. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. Successful exploitation allows injection of malicious JavaScript into the Web UI, which executes in the context of trusted users' sessions, potentially enabling theft of credentials or other sensitive data.
IBM has issued a security advisory with details on the vulnerability and mitigation at https://www.ibm.com/support/pages/node/7171873.
Details
- CWE(s)